Guide to enhance the protection for ADManager Plus installation

    This document provides the steps to improve the security of your ADManager Plus instance for specific scenarios mentioned below.

    Preventing an user of Authenticated Users group from tampering with the ADManager Plus bin folder

    By default, ADManager Plus will be installed in the C:\ProgramFiles\ManageEngine folder. Starting from 7210 release, the Authenticated Users group will be removed access to the installation directory, and only users in the SYSTEM, Administrators, Domain Admins groups and the user account linked during installation will have default access.

    In the prior builds, in a few cases, even users without administrative privileges who were part of the Authenticated Users group were given Full Control permission for the files in the installation directory. To remove the Authenticated Users group from the Access Control List (ACL) on ADManager Plus, follow the given instructions.

    Solution

    There are two ways to tackle this problem. You can either manually modify the permission settings or use the SecureDeployment.exe file which will automatically modify the settings.

    1. Using SecureDeployment.exe
    2. Manually modifying permissions
      • When ADManager Plus is installed in C:\ManageEngine folder
      • When ADManager Plus is installed in C:\Program FIles folder

    1. Using SecureDeployment.exe

    The SecureDeployment.exe file in the bin directory will automatically:

    • Prevent users in Authenticated Users group from accessing the ADManager Plus installation folders.
    • Assign Full permissions for the given account.
    • Configure 'log-on as' account credentials if ADManager Plus is accessed as a service.

    The SecureDeployment.exe file will ensure that the deployment environment is secured.

    2. Manually modifying permissions

    Steps to perform if ADManager Plus is installed in C:\ManageEngine folder:

    i. If ADManager Plus is installed in a client OS

    ii. If ADManager Plus is installed in a server OS

    By default, the client OS C: directory has Authenticated Users with Modify permission for subfolders. However, C: directory in the server OS does not have Authenticated Users in the ACL.

    i) If ADManager Plus is installed in a client OS

    To allow users with less privileges to start or stop ADManager Plus on the client OS, follow the steps:

    1. Disable Inheritance for the C:\ManageEngine\ADManager Plus folder.
    2. Remove Authenticated Users from the ACL.
    3. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    4. Assign Modify permission to the C:\ManageEngine\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.

    ii) If ADManager Plus is installed in a server OS

    1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    2. Assign Modify permission to the C:\ManageEngine\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.

    Note: The steps mentioned in both the above cases hold good for any location of your choice besides C:\ManageEngine

    b. Steps to perform if ADManager Plus is installed in C:\Program Files folder

    1. Remove Authenticated Users permission for these folders from the product's installation folder: bin\licenses, lib\licenses, temp, webapps\adsm\temp
    2. Assign Modify permission to the C:\Program Files\ADManager Plus folder for users who have the responsibility of starting the product. If the product is installed as a service with 'log-on as' account, ensure this account has the modify permission.
    Note:
    • Microsoft recommends that any software should be installed in the Program Files directory. Based on your specific needs or organizational policies, you can choose a different location.
    • The steps mentioned in this guide are applicable to all ManageEngine products which have 'C:\ManageEngine' as the default installation location.

    Disabling or restricting the Employee Search option

    ADManager Plus' Employee Search can be used by users or employees to look up the details of fellow employees and contacts of their organization.

    Description: The Employee Search is one of the popular features of ADManager Plus and is used as a Corporate Directory Search, and it is enabled by default. However, to suit the specific needs of your organization, or for security reasons, you might want to display only specific details, of users and contacts in the search result, or might even prefer not to have this option at all.

    Solution

    Based on the need, you can easily:

    1. Limit the scope of Employee search to only specific domains, or OUs.
    2. Specify the details of users or contacts that can be displayed in the search result .
    3. Specify the attributes or details based on which users or contacts can be located.
    4. Disable the Employee Search option.

    Mentioned below are the steps:

    1. Log in to ADManager Plus.
    2. Click on the Admin tab.
    3. From the options on the LHS, click Employee Preferences and select Configure AD Search.
      • Disabling Employee Search: Uncheck the 'Show Employee Search in login page' option to disable this search completely and also not display this option on the login page.
      • Limiting the scope of Employee Search: Select the domain and its corresponding OUs, from the ones displayed in Selected Domains field, to restrict the search to only that specific domain and its OUs.
      • Limiting the scope of this search to only user and/or contact objects: Click the Users and Contacts tabs, and uncheck the ones that you do not wish to be searched using this option. Also, under Users and Contacts tabs, under Available Columns, in Display Columns, uncheck the attributes or details that you don't want to be displayed in the search result.
      • Specifying the attributes based on which users or contacts can be searched: Under Users and Contacts tabs, under Search Criteria, in Available Columns select only the desired attributes.
    4. Click Save Settings to save your preferred settings for the Employee Search.

    Change ADManager Plus' default admin password

    Why should you do this?

    If ADManager Plus' default admin password is not changed, there are chances that anyone who is aware of the default password might use it log in to the product, and perform malicious changes in your Active Directory (AD) or view information about AD objects.

    What can you do to address this situation?

    We recommend that you change the default admin password, at least before you move to the deployment phase from the evaluation phase, for security reasons. You can change the default password in the 'My Account' section found in the top right corner of the product's web-console.

    Click here for steps to change the default admin password.

    Additional security for ADManger Plus logins

    ADManager Plus supports smart card, two-factor authentication (TFA), CAPTCHA, etc. and also allows you to block users in case of bad passwords, to enhance the security for user logon process and prevent unauthorized users from logging in. Click the links below for steps to configure the various options to secure the logon process for your users.

    Security hardening

    ADManager Plus offers a series of security and data privacy options to improve your management and reporting experience, secure access to the product, secure data disposal, and more. To learn how to configure the security and privacy settings in ADManager Plus, click here.

    Note: For securely hosting ADManager Plus over the internet refer to this deployment guide.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding